A common use of communication networks is to provide users access to network resources such as software, electronic data, or files in storage systems or databases connected to the network. As the number of users on a given network increases, there is often a need to control user access rights to resources on the network.
Network environments often involve a variety of network users, where the users may be grouped or categorized by a relation or role that the user serves in the environment. For example, in an engineering or technical development company environment, users of the company's computer network may include company officers, directors, managers, engineers, technical support staff, office support staff, accounting department staff, information technology (IT) department staff, contractors, consultants, temporary employees or other relation-based or role-based groups or categories of network users. Other companies, organizations or network environments may have other relation or role-based groups of users. Each user may have a need to access certain network resources in connection with the user's relation or role. In addition, it may be desirable to restrict users with certain relations or roles from access to certain resources, for example, for security, privacy or other reasons.
In many conventional businesses or organizations, specific personnel perform the function of managing users according to their roles. For example, an office administrator may place an order with the organization's IT department to have one or more resources available on the day a new user joins the organization. Individuals from the IT department would then manually set up these resources. Over the course of time, the user's relationship or roles within the organization may change, for example, as the user is transferred, promoted, demoted or terminated from the organization. As a user's relationship or role with the organization changes, the user's needs or rights to access resources may change.
The burden on the office administrator and office personnel to manually administer user access to resources in the above example is typically dependent on the size of the organization (the number of users) and the rate at which users join or leave the organization or otherwise change roles. To improve efficiency and reduce the burden on the office administrator and office personnel, some organizations have used software applications which automate or partially automate some of the tasks relating to managing certain, limited types of resources to users.
FIG. 1 illustrates a prior art method 100 of providing access control. At block 101, the prior art method 100 determines what operations a user is allowed to perform on one or more resources. At block 111, the prior art method 100 provides access control based on the operations the user can perform. Accordingly, if a user has been explicitly assigned a privilege to perform an operation on a resource, then the user can perform the operation. Thus, prior art method 100 uses a privilege-based access control system. Whenever a user or group of users is added to the system, an administrator must explicitly configure a set of privileges for each group of resources in the system. If a new resource is introduced, the administrator may need to modify the privileges of every user known to the system. As the number of users and resources grows, the usability of the system declines and security is reduced. Also, usability declines because users are not granted privileges that they need to complete their job functions because granular management is too expensive.
Because it is typically very inconvenient for a system administrator to provide each user with individual access rights and to achieve a higher grade of data security and integrity in a computer system, Role-Based Access Control (RBAC) methods have been developed. RBAC is one form of automatic access control management that has become commercially available. RBAC provides permissions (access rights) to a user to access certain accounts (files, web pages, etc.) available over the network, based on a person's role in the organization.
Therein, a role is mainly a definition of a job at the lowest level of granularity used in the enterprise or organization. In an RBAC system, the system administrator only has to grant or revoke access rights to a role and has to group different subjects under each role. Role-based access control (RBAC) is a system whereby access to resources is defined and controlled based on the role or job function of a user, rather than based on organizational group.
A prior art RBAC method includes associating operations to users. Accordingly, a role can perform one or more operations. For example, a role “Adminstrator” can perform backup of all files, while a role “CEO” can write to all files. Typically, a role is defined as a data structure that includes a two-column table with user ids in column and associated operations in the other column. For example, for the roles “Senior Administrator” and “Junior Administrator”, an example two column table 200 is shown in FIG. 2A. Thus, users with the role “Senior Administrator” can perform read, write and backup operations on all resources in the system, while users with the role “Junior Administrator” can perform only read and write operations on all resources in the system. This prior art method provides very little granularity as the system does not differentiate between resources.
Also, modern organizations may be structured along several intersecting lines. For example, organizations may be structured according to title (presidents, vice-presidents, directors, managers, supervisors, etc.), technology (electronics, mechanical, software, etc.), project (product A, B, C, etc.), location (Irvine, N.Y., etc.) and the like. A single user may appear in several or all of these organizational structures, and thus may be in a somewhat unique overall role as compared to other users in the organization. Because this may require that many users be provisioned uniquely, many unique roles would have to be defined in the system to further such managing. Also, a large number of similar but not identical job positions in an organization require a large number of roles. This large number of roles causes a high storage requirement and high computing requirements for the security system within the computer system, leading to high costs for the operation of the security system. Furthermore, it is disadvantageous that the large number of roles makes it very difficult to manage the security system. The system administrator has to create a new role when a person remains in his job position but changes his location or project. Furthermore, a role includes the union of all operations and resources which users of that role have in different organization units of the enterprise. This means that the role will not necessarily contain the least permission necessary for the functions of that role.
An example of a computer system that requires that accesses to data by users are controlled is a business enterprise or other organization that manages large volumes of data and may operate multiple storage servers concurrently. These storage servers may be connected to each other through one or more networks. The storage servers and other network components may be managed by one or more network administrators (also called “administrative users” or simply “administrators”), who are responsible for configuring, managing and monitoring the storage servers, scheduling backups, troubleshooting problems with the storage servers, performing software upgrades, etc. These management tasks can be accomplished by the administrator using a separate management console on the network. The management console is a computer system that runs a storage management system application specifically designed to manage a distributed storage infrastructure. An example of such storage management software is DataFabric® Manager (DFM), which is made by Network Appliance, Inc. of Sunnyvale, Calif.